Discussion:
disallowed zone transfer from axfrdns
Jeremy Hansen
2004-07-12 18:28:33 UTC
Permalink
I'm getting a fatal: disallowed zone transfer request from axfrdns and I
can't figure out why I'm getting this.

Here is my axfrdns rules:

172.18.107.168:allow,AXFR="blah.com/2.30.172.in-addr.arpa"
172.18.2.10:allow,AXFR="blah.com/2.30.172.in-addr.arpa"
172.18.2.11:allow,AXFR="blah.com/2.30.172.in-addr.arpa"
172.19.1.4:allow,AXFR="blah.com/2.30.172.in-addr.arpa"

172.18.107.168:allow,AXFR="blah2.com/2.30.172.in-addr.arpa"
172.18.2.10:allow,AXFR="blah2.com/2.30.172.in-addr.arpa"
172.18.2.11:allow,AXFR="blah2.com/2.30.172.in-addr.arpa"
172.19.1.4:allow,AXFR="blah2.com/2.30.172.in-addr.arpa"

Here's what I see:

@4000000040f2d77400ad2244 tcpserver: ok 16046 0:172.30.2.35:53
:172.19.1.4::1284
@4000000040f2d77400c2928c ac1e5021:0504:0000 00fc blah.com
@4000000040f2d77400c388a4 axfrdns: fatal: disallowed zone transfer request
@4000000040f2d77400c70b14 tcpserver: end 16046 status 28416
@4000000040f2d77400c712e4 tcpserver: status: 0/40
:deny

but the strange thing is, I can do zone trnsfers fine from 172.18.2.10
for example which is also in the rule set.

Thanks for any help.

-jeremy
Zak Johnson
2004-07-12 19:33:12 UTC
Permalink
Post by Jeremy Hansen
172.18.107.168:allow,AXFR="blah.com/2.30.172.in-addr.arpa"
172.18.2.10:allow,AXFR="blah.com/2.30.172.in-addr.arpa"
172.18.2.11:allow,AXFR="blah.com/2.30.172.in-addr.arpa"
172.19.1.4:allow,AXFR="blah.com/2.30.172.in-addr.arpa"
172.18.107.168:allow,AXFR="blah2.com/2.30.172.in-addr.arpa"
172.18.2.10:allow,AXFR="blah2.com/2.30.172.in-addr.arpa"
172.18.2.11:allow,AXFR="blah2.com/2.30.172.in-addr.arpa"
172.19.1.4:allow,AXFR="blah2.com/2.30.172.in-addr.arpa"
tcpserver uses the first rule it finds; more than one line for a single
IP address will not work. Instead:

172.19.1.4:allow,AXFR="blah.com/blah2.com/2.30.172.in-addr.arpa"

-Zak
Jeremy Hansen
2004-07-12 20:16:44 UTC
Permalink
This worked. Thanks.

-jeremy
Post by Zak Johnson
Post by Jeremy Hansen
172.18.107.168:allow,AXFR="blah.com/2.30.172.in-addr.arpa"
172.18.2.10:allow,AXFR="blah.com/2.30.172.in-addr.arpa"
172.18.2.11:allow,AXFR="blah.com/2.30.172.in-addr.arpa"
172.19.1.4:allow,AXFR="blah.com/2.30.172.in-addr.arpa"
172.18.107.168:allow,AXFR="blah2.com/2.30.172.in-addr.arpa"
172.18.2.10:allow,AXFR="blah2.com/2.30.172.in-addr.arpa"
172.18.2.11:allow,AXFR="blah2.com/2.30.172.in-addr.arpa"
172.19.1.4:allow,AXFR="blah2.com/2.30.172.in-addr.arpa"
tcpserver uses the first rule it finds; more than one line for a single
172.19.1.4:allow,AXFR="blah.com/blah2.com/2.30.172.in-addr.arpa"
-Zak
Loading...